Accepting request 872987 from GNOME:Next
- Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d. - Rebase avahi-daemon-check-dns-suse.patch, and drop privileges when invoking avahi-daemon-check-dns.sh (boo#1180827 CVE-2021-26720). - Add sudo to requires: used to drop privileges. OBS-URL: https://build.opensuse.org/request/show/872987 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/avahi?expand=0&rev=182
This commit is contained in:
parent
cbc274f781
commit
bdcdeadf85
@ -1,5 +1,5 @@
|
|||||||
--- avahi-daemon-check-dns.sh.debian 2012-03-04 05:24:07.000000000 +0100
|
--- avahi-daemon-check-dns.sh.debian 2021-01-27 15:28:07.832795734 -0600
|
||||||
+++ avahi-daemon-check-dns.sh 2012-05-23 20:06:27.121923772 +0200
|
+++ avahi-daemon-check-dns.sh 2021-01-27 15:39:35.364471899 -0600
|
||||||
@@ -5,15 +5,15 @@
|
@@ -5,15 +5,15 @@
|
||||||
|
|
||||||
PATH=/bin:/usr/bin:/sbin:/usr/sbin
|
PATH=/bin:/usr/bin:/sbin:/usr/sbin
|
||||||
@ -13,48 +13,16 @@
|
|||||||
+AVAHI_DAEMON_DETECT_LOCAL=yes
|
+AVAHI_DAEMON_DETECT_LOCAL=yes
|
||||||
|
|
||||||
-test -f /etc/default/avahi-daemon && . /etc/default/avahi-daemon
|
-test -f /etc/default/avahi-daemon && . /etc/default/avahi-daemon
|
||||||
+test -f /etc/sysconfig/avahi-daemon && . /etc/sysconfig/avahi-daemon
|
+test -f /etc/sysconfig/avahi && . /etc/sysconfig/avahi
|
||||||
|
|
||||||
-if [ "$AVAHI_DAEMON_DETECT_LOCAL" != "1" ]; then
|
-if [ "$AVAHI_DAEMON_DETECT_LOCAL" != "1" ]; then
|
||||||
+if [ "$AVAHI_DAEMON_DETECT_LOCAL" != "yes" ]; then
|
+if [ "$AVAHI_DAEMON_DETECT_LOCAL" != "yes" ]; then
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -96,12 +96,8 @@
|
--- avahi-daemon.if-up.debian 2021-01-27 16:09:50.922179542 -0600
|
||||||
# no unicast .local conflict, so remove the tag and start avahi again
|
+++ avahi-daemon.if-up 2021-01-27 16:11:54.942842665 -0600
|
||||||
if [ -e ${DISABLE_TAG} ]; then
|
@@ -3,10 +3,10 @@
|
||||||
rm -f ${DISABLE_TAG}
|
|
||||||
- if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
|
|
||||||
- invoke-rc.d avahi-daemon start || true
|
|
||||||
- else
|
|
||||||
- if [ -x "/etc/init.d/avahi-daemon" ]; then
|
|
||||||
- /etc/init.d/avahi-daemon start || true
|
|
||||||
- fi
|
|
||||||
+ if [ -x "/etc/init.d/avahi-daemon" ]; then
|
|
||||||
+ /etc/init.d/avahi-daemon start || true
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
@@ -110,14 +106,8 @@
|
|
||||||
[ -e ${DISABLE_TAG} ] && return
|
|
||||||
|
|
||||||
if [ -x /etc/init.d/avahi-daemon ]; then
|
|
||||||
- if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
|
|
||||||
- invoke-rc.d --force avahi-daemon stop || true
|
|
||||||
- else
|
|
||||||
- if [ -x "/etc/init.d/avahi-daemon" ]; then
|
|
||||||
- /etc/init.d/avahi-daemon stop || true
|
|
||||||
- fi
|
|
||||||
- fi
|
|
||||||
- if [ -x /usr/bin/logger ]; then
|
|
||||||
+ /etc/init.d/avahi-daemon stop || true
|
|
||||||
+ if [ -x /bin/logger ]; then
|
|
||||||
logger -p daemon.warning -t avahi <<EOF
|
|
||||||
Avahi detected that your currently configured local DNS server serves
|
|
||||||
a domain .local. This is inherently incompatible with Avahi and thus
|
|
||||||
--- avahi-daemon.if-up.debian 2012-03-04 05:24:07.000000000 +0100
|
|
||||||
+++ avahi-daemon.if-up 2012-05-24 19:38:04.347420848 +0200
|
|
||||||
@@ -3,7 +3,7 @@
|
|
||||||
# Don't run the avahi-daemon unicast local check while bringing up
|
# Don't run the avahi-daemon unicast local check while bringing up
|
||||||
# the loopback device; it's not necessary until we bring up a real network
|
# the loopback device; it's not necessary until we bring up a real network
|
||||||
# device
|
# device
|
||||||
@ -63,3 +31,7 @@
|
|||||||
|
|
||||||
# If we have an unicast .local domain, we immediately disable avahi to avoid
|
# If we have an unicast .local domain, we immediately disable avahi to avoid
|
||||||
# conflicts with the multicast IP4LL .local domain
|
# conflicts with the multicast IP4LL .local domain
|
||||||
|
if [ -x /usr/lib/avahi/avahi-daemon-check-dns.sh ] ; then
|
||||||
|
- exec /usr/lib/avahi/avahi-daemon-check-dns.sh
|
||||||
|
+ sudo -u avahi -g avahi /usr/lib/avahi/avahi-daemon-check-dns.sh
|
||||||
|
fi
|
||||||
|
@ -21,7 +21,20 @@ ensure_rundir() {
|
|||||||
if [ ! -d ${RUNDIR} ] ; then
|
if [ ! -d ${RUNDIR} ] ; then
|
||||||
mkdir -m 0755 -p ${RUNDIR}
|
mkdir -m 0755 -p ${RUNDIR}
|
||||||
chown avahi:avahi ${RUNDIR}
|
chown avahi:avahi ${RUNDIR}
|
||||||
fi
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
log_disable_warning() {
|
||||||
|
if [ -x /usr/bin/logger ]; then
|
||||||
|
logger -p daemon.warning -t avahi <<EOF
|
||||||
|
Avahi detected that your currently configured local DNS server serves
|
||||||
|
a domain .local. This is inherently incompatible with Avahi and thus
|
||||||
|
Avahi stopped itself. If you want to use Avahi in this network, please
|
||||||
|
contact your administrator and convince him to use a different DNS domain,
|
||||||
|
since .local should be used exclusively for Zeroconf technology.
|
||||||
|
For more information, see http://avahi.org/wiki/AvahiAndUnicastDotLocal
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
dns_reachable() {
|
dns_reachable() {
|
||||||
@ -31,12 +44,17 @@ dns_reachable() {
|
|||||||
# If there is no local nameserver and no we have no global ip addresses
|
# If there is no local nameserver and no we have no global ip addresses
|
||||||
# then we can't reach any nameservers
|
# then we can't reach any nameservers
|
||||||
if ! $(egrep -q "nameserver 127.0.0.1|::1" /etc/resolv.conf); then
|
if ! $(egrep -q "nameserver 127.0.0.1|::1" /etc/resolv.conf); then
|
||||||
# Get addresses of all running interfaces
|
if [ -x "$(which ip)" ]; then
|
||||||
ADDRS=$(LC_ALL=C ifconfig | grep ' addr:')
|
ADDRS=$(ip addr show scope global | grep inet)
|
||||||
# Filter out all local addresses
|
ROUTES=$(ip route show 0.0.0.0/0)
|
||||||
ADDRS=$(echo "${ADDRS}" | egrep -v ':127|Scope:Host|Scope:Link')
|
elif [ -x "$(which ifconfig)" -a -x "$(which route)" ]; then
|
||||||
# Check we have a default route
|
# Get addresses of all running interfaces
|
||||||
ROUTES=$(route -n | grep '^0.0.0.0 ')
|
ADDRS=$(LC_ALL=C ifconfig | grep ' addr:')
|
||||||
|
# Filter out all local addresses
|
||||||
|
ADDRS=$(echo "${ADDRS}" | egrep -v ':127|Scope:Host|Scope:Link')
|
||||||
|
# Check we have a default route
|
||||||
|
ROUTES=$(route -n | grep '^0.0.0.0 ')
|
||||||
|
fi
|
||||||
if [ -z "${ADDRS}" -o -z "${ROUTES}" ] ; then
|
if [ -z "${ADDRS}" -o -z "${ROUTES}" ] ; then
|
||||||
return 1;
|
return 1;
|
||||||
fi
|
fi
|
||||||
@ -55,7 +73,8 @@ dns_has_local() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
OUT=`LC_ALL=C host -t soa local. 2>&1`
|
# Use timeout when calling host as workaround for LP: #1752411
|
||||||
|
OUT=`LC_ALL=C timeout 5 host -t soa local. 2>&1`
|
||||||
if [ $? -eq 0 ] ; then
|
if [ $? -eq 0 ] ; then
|
||||||
if echo "$OUT" | egrep -vq 'has no|not found'; then
|
if echo "$OUT" | egrep -vq 'has no|not found'; then
|
||||||
return 0
|
return 0
|
||||||
@ -96,12 +115,10 @@ enable_avahi () {
|
|||||||
# no unicast .local conflict, so remove the tag and start avahi again
|
# no unicast .local conflict, so remove the tag and start avahi again
|
||||||
if [ -e ${DISABLE_TAG} ]; then
|
if [ -e ${DISABLE_TAG} ]; then
|
||||||
rm -f ${DISABLE_TAG}
|
rm -f ${DISABLE_TAG}
|
||||||
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
|
if [ -d /run/systemd/system ]; then
|
||||||
invoke-rc.d avahi-daemon start || true
|
systemctl start avahi-daemon.socket avahi-daemon.service || true
|
||||||
else
|
elif [ -x "/etc/init.d/avahi-daemon" ]; then
|
||||||
if [ -x "/etc/init.d/avahi-daemon" ]; then
|
/etc/init.d/avahi-daemon start || true
|
||||||
/etc/init.d/avahi-daemon start || true
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@ -109,24 +126,12 @@ enable_avahi () {
|
|||||||
disable_avahi () {
|
disable_avahi () {
|
||||||
[ -e ${DISABLE_TAG} ] && return
|
[ -e ${DISABLE_TAG} ] && return
|
||||||
|
|
||||||
if [ -x /etc/init.d/avahi-daemon ]; then
|
if [ -d /run/systemd/system ]; then
|
||||||
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
|
systemctl stop avahi-daemon.socket avahi-daemon.service || true
|
||||||
invoke-rc.d --force avahi-daemon stop || true
|
log_disable_warning
|
||||||
else
|
elif [ -x "/etc/init.d/avahi-daemon" ]; then
|
||||||
if [ -x "/etc/init.d/avahi-daemon" ]; then
|
/etc/init.d/avahi-daemon stop || true
|
||||||
/etc/init.d/avahi-daemon stop || true
|
log_disable_warning
|
||||||
fi
|
|
||||||
fi
|
|
||||||
if [ -x /usr/bin/logger ]; then
|
|
||||||
logger -p daemon.warning -t avahi <<EOF
|
|
||||||
Avahi detected that your currently configured local DNS server serves
|
|
||||||
a domain .local. This is inherently incompatible with Avahi and thus
|
|
||||||
Avahi disabled itself. If you want to use Avahi in this network, please
|
|
||||||
contact your administrator and convince him to use a different DNS domain,
|
|
||||||
since .local should be used exclusively for Zeroconf technology.
|
|
||||||
For more information, see http://avahi.org/wiki/AvahiAndUnicastDotLocal
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
ensure_rundir
|
ensure_rundir
|
||||||
touch ${DISABLE_TAG}
|
touch ${DISABLE_TAG}
|
||||||
|
@ -50,7 +50,7 @@ License: LGPL-2.1-or-later
|
|||||||
Group: System/Daemons
|
Group: System/Daemons
|
||||||
URL: http://www.avahi.org/
|
URL: http://www.avahi.org/
|
||||||
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
|
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
|
||||||
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.6.31-1.debian.tar.gz
|
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.8-3.debian.tar.xz
|
||||||
Source1: avahi-daemon-check-dns.sh
|
Source1: avahi-daemon-check-dns.sh
|
||||||
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
|
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
|
||||||
Source4: avahi-glib-gettext.m4
|
Source4: avahi-glib-gettext.m4
|
||||||
@ -103,6 +103,7 @@ BuildRequires: libevent-devel >= 2.1.5
|
|||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
BuildRequires: pkgconfig(systemd)
|
BuildRequires: pkgconfig(systemd)
|
||||||
Requires: nss-mdns
|
Requires: nss-mdns
|
||||||
|
Requires: sudo
|
||||||
Requires(pre): shadow
|
Requires(pre): shadow
|
||||||
#
|
#
|
||||||
# mDNSResponder was used for <= 10.2:
|
# mDNSResponder was used for <= 10.2:
|
||||||
|
@ -50,7 +50,7 @@ License: LGPL-2.1-or-later
|
|||||||
Group: Development/Languages/Mono
|
Group: Development/Languages/Mono
|
||||||
URL: http://www.avahi.org/
|
URL: http://www.avahi.org/
|
||||||
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
|
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
|
||||||
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.6.31-1.debian.tar.gz
|
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.8-3.debian.tar.xz
|
||||||
Source1: avahi-daemon-check-dns.sh
|
Source1: avahi-daemon-check-dns.sh
|
||||||
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
|
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
|
||||||
Source4: avahi-glib-gettext.m4
|
Source4: avahi-glib-gettext.m4
|
||||||
@ -103,6 +103,7 @@ BuildRequires: libevent-devel >= 2.1.5
|
|||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
BuildRequires: pkgconfig(systemd)
|
BuildRequires: pkgconfig(systemd)
|
||||||
Requires: nss-mdns
|
Requires: nss-mdns
|
||||||
|
Requires: sudo
|
||||||
Requires(pre): shadow
|
Requires(pre): shadow
|
||||||
#
|
#
|
||||||
# mDNSResponder was used for <= 10.2:
|
# mDNSResponder was used for <= 10.2:
|
||||||
|
@ -50,7 +50,7 @@ License: LGPL-2.1-or-later
|
|||||||
Group: System/Daemons
|
Group: System/Daemons
|
||||||
URL: http://www.avahi.org/
|
URL: http://www.avahi.org/
|
||||||
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
|
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
|
||||||
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.6.31-1.debian.tar.gz
|
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.8-3.debian.tar.xz
|
||||||
Source1: avahi-daemon-check-dns.sh
|
Source1: avahi-daemon-check-dns.sh
|
||||||
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
|
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
|
||||||
Source4: avahi-glib-gettext.m4
|
Source4: avahi-glib-gettext.m4
|
||||||
@ -103,6 +103,7 @@ BuildRequires: libevent-devel >= 2.1.5
|
|||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
BuildRequires: pkgconfig(systemd)
|
BuildRequires: pkgconfig(systemd)
|
||||||
Requires: nss-mdns
|
Requires: nss-mdns
|
||||||
|
Requires: sudo
|
||||||
Requires(pre): shadow
|
Requires(pre): shadow
|
||||||
#
|
#
|
||||||
# mDNSResponder was used for <= 10.2:
|
# mDNSResponder was used for <= 10.2:
|
||||||
|
@ -1,3 +1,14 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Feb 16 22:37:35 UTC 2021 - Michael Gorse <mgorse@suse.com>
|
||||||
|
|
||||||
|
- Update avahi-daemon-check-dns.sh from Debian. Our previous
|
||||||
|
version relied on ifconfig, route, and init.d.
|
||||||
|
- Rebase avahi-daemon-check-dns-suse.patch, and drop privileges
|
||||||
|
when invoking avahi-daemon-check-dns.sh (boo#1180827
|
||||||
|
CVE-2021-26720).
|
||||||
|
- Add sudo to requires: used to drop privileges.
|
||||||
|
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Feb 10 20:09:43 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
Wed Feb 10 20:09:43 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
||||||
|
|
||||||
|
@ -52,7 +52,7 @@ License: LGPL-2.1-or-later
|
|||||||
Group: System/Daemons
|
Group: System/Daemons
|
||||||
URL: http://www.avahi.org/
|
URL: http://www.avahi.org/
|
||||||
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
|
Source: http://avahi.org/download/%{_name}-%{version}.tar.gz
|
||||||
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.6.31-1.debian.tar.gz
|
# From http://packages.debian.org/sid/avahi-daemon http://ftp.debian.org/debian/pool/main/a/avahi/avahi_0.8-3.debian.tar.xz
|
||||||
Source1: avahi-daemon-check-dns.sh
|
Source1: avahi-daemon-check-dns.sh
|
||||||
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
|
# Copy of glib-2.0.m4 from glib2-devel to not depend on glib2-devel.
|
||||||
Source4: avahi-glib-gettext.m4
|
Source4: avahi-glib-gettext.m4
|
||||||
@ -105,6 +105,7 @@ BuildRequires: libevent-devel >= 2.1.5
|
|||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
BuildRequires: pkgconfig(systemd)
|
BuildRequires: pkgconfig(systemd)
|
||||||
Requires: nss-mdns
|
Requires: nss-mdns
|
||||||
|
Requires: sudo
|
||||||
Requires(pre): shadow
|
Requires(pre): shadow
|
||||||
#
|
#
|
||||||
# mDNSResponder was used for <= 10.2:
|
# mDNSResponder was used for <= 10.2:
|
||||||
|
Loading…
Reference in New Issue
Block a user